Saturday, June 9, 2012

Has everyone changed their LinkedIn password ?

LinkedIn was hacked and over 6 million password hashes got stolen.
If that wasn't bad enough, the hashes weren't salted and to make it all worse, the hashes are out on the net.

The story got out on June 6, 2012, when a user with alias "dwdm" asked for help from InsidePro forum members to crack over 6.4 million passwords from LinkedIn.
Copies of the list were duplicated to several file sharing sites and can be easily found.

Some of the hashes may have already been cracked by the original poster or by other hackers. I strongly recommend changing your passwords.

Keep updated from LinkedIn about the issue on their blog http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/.

You can check if your password was on the list on this site: http://dazzlepod.com/linkedin/
Be careful :-)

You can also download the full password list from dropbox: https://www.dropbox.com/s/mfd4h4oylp3691a/linkedin.com.zip thanks to HackTalk.

A few lessons can be had:
  1. Nothing is secure on the net. Not even on sites like LinkedIn
  2. When designing a database that holds passwords, If your using standard encryption, at least add salt.
  3. If you stole a bunch of passwords and would like them to remain relevant, Don't ask for help cracking SHA-1 on the web !!!
If you want to crack the SHA list for yourself use http://hashcat.net/hashcat/
Post requests if you want me to post a tutorial.

No comments:

Post a Comment